Seven Steps to Take When You have A HIPAA Compliant
1. 7 Steps To Take When You
Have A HIPAA Complaint
Jason Karn, Total HIPAA Compliance, LLC
2. What do you do when a client/patient contacts
you about improper use of their PHI, and
thinks they have a HIPAA Complaint?
When You Receive a Complaint
3. ONE
Open channels of communication
• Listen closely to what the client/patient is
saying, what the issue is, and what kind of
resolution they are looking for.
• Many times, listening can solve most of your
problems, and will keep this person from
filing a formal complaint with HHS.
4. TWO
Document the complaint
• Regardless of whether the person files a
complaint with HHS, it’s important that you
document what the issue was, when it
occurred, and what information the person
felt was released or used improperly.
5. THREE
Determine how many clients are affected
• If fewer than 500 people are affected, file a report with HHS
within 60 days of the end of the calendar year.
• Breaches of over 500 persons’ information need to be
reported to HHS within 30 days of discovery, or from when
you should have known there was a Breach.
• These large Breaches also need to be reported to
prominent local media outlets, and posted on your
website.
6. FOUR
Fix the problem
• Sometimes this is easier said than done. (See
Slide 1.) Once information has been released,
it’s hard, if not impossible, to un-release it.
• Update your records to reflect that you’ve
identified the problem and made the
necessary changes.
7. FIVE
Reduce the impact
• Many providers give harmed clients/patients
free credit monitoring for a year to help mitigate
any issues they might come up against.
8. SIX
Review other similar situations
• If you do find there was an issue with your
policies or actions of your workforce, you
should audit similar records to make sure this
is a one-time incident and not the proverbial
‘canary in the coal mine’.
9. SEVEN
Going forward
• This client/patient may still wish to use your
services after the complaint. By law, you are NOT
allowed to retaliate in any way.
• This may be uncomfortable for you and people in your
agency/practice, but the reality is they might be doing
you a favor by pointing out an error!
• If the situation does become a major issue, you can
suggest that the client/patient might be more
comfortable with another provider, but you cannot
force them to make this change.
11. Copyright notice from Jason Karn, Total HIPAA Compliance, LLC
This work is licensed under a Creative Commons Attribution-
NonCommercial-NoDerivs 3.0 Unported License.
What does that mean?
You may freely share this slide deck in its entirety with anyone.
Splitting up the deck or charging for the copies is out of bounds.
The original slide deck can be found at